Using RADIUS to authenticate users with RSA SecurID
Posted by JacobAppelbaum on Fri 16 Mar 2007 at 10:02
Recently I was tasked with authenticating users who carry RSA SecurID tokens. I was highly inspired by Jeff Wirth and his success using RADIUS to authenticate with SecurID Tokens on FreeBSD. While I'm not a fan of non-free software, it's possible to make each server authenticate against the non-free RSA Ace server using only free software. This isn't a perfect solution but it's useful when such a requirement is thrust upon you.
The requirements are simple. Your RSA Authentication server must be configured to allow authentication through a RADIUS server. This means that your RSA server has some sort of RADIUS server running on it or somehow you have a RADIUS server authenticating against your RSA ACE server.
As a result of the simple nature of a RADIUS server, you'll have authentication but you'll be lacking directory services. This is suboptimal but still useful in specific cases. This is an example where you want to authenticate and you can handle creating a user name, a user ID and a group ID on the local system.
First we're going to install the PAM module that authenticates against our RADIUS server:
apt-get install -y libpam-radius-auth
The aforementioned package installs the configuration file /etc/pam_radius_auth.conf
If you're savvy enough to read the (mostly worthless) documentation, you'll note that the PAM module uses the odd configuration file location of: /etc/raddb/server. You can safely ignore that file location and only modify /etc/pam_radius_auth.conf
So we'll create a new pam_radius_auth configuration file:
cat << 'EOF' > /etc/pam_radius_auth.conf # pam_radius_auth configuration file. # server[:port] shared_secret timeout (s) # Here are two example servers (change this to fit your needs): 10.1.1.1 SECRETGOESHERE 3 10.1.2.1 SECRETGOESHERE 3 EOF
Now we're going to change the permissions of the file so that the PAM module doesn't complain:
chown root /etc/pam_radius_auth.conf chmod go-rwx /etc/pam_radius_auth.conf
Now we're going to configure PAM to authenticate against RADIUS. We're also going to cause PAM to create a home directory for any user that successfully authenticates with PAM. I highly suggest you read the previous article on this subject.
We're going to clobber our PAM common-auth file with the next command. This essentially includes every single service we might want to authenticate with. You could authenticate different applications based on needs, though nearly all PAM application specific files include common-auth
Here's an example common-auth for pam_radius_auth:
cat << 'EOF' > /etc/pam.d/common-auth # Radius auth # For these next three lines to grant auth, you must have a local user name # This must be the same as your RADIUS name # Remove the "debug" argument on the next line after everything works auth sufficient pam_radius_auth.so debug account required pam_radius_auth.so session required pam_radius_auth.so # Generic unix auth services below auth required pam_unix.so nullok_secure # Automatic home directory creation # See this article for more information: # http://www.debian-administration.org/articles/403 # session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 silent EOF
Because RADIUS doesn't provide a directory service, we have to have UID and GID information pre-populated on our system. There are a number of methods for doing this. Generally this means using a system other than RADIUS (such as LDAP) to handle authentication. This clearly isn't an option when our goal is to use RADIUS. However, we can simply add the UID and GID information to each system to get around this issue. This allows a user to attempt to login and if they can successfully authenticate with RADIUS, PAM will create their home directory according to their system wide UID and GID. If the user doesn't have a username on the system that matches their RADIUS login name, they won't be able to login to the system.
Here's an example method that pre-populates a system to add a user that can use sudo to gain root entirely authenticated with RADIUS:
useradd ioerror -G admin
At this point, we can login with RADIUS. Your login is your SecurID login name. For a user to login, they require a local unix account name (such as the example pre-populated above) and it must match this SecurID login name. Your password during login is your private pin number and your RSA SecurID token code as one concatenated numeric string.